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Abstract 

Current state-of-the-art correct-by-design controllers are designed for full-state measurable systems. This work first extends the 
applicability of correct-by-design controllers to partially observable LTI systems. Leveraging 2nd order bounds we give a design 
method that has a quantifiable robustness to probabilistic disturbances on state transitions and on output measurements. In 
a case study from smart buildings we evaluate the new output-based correct-by-design controller on a physical system with 
limited sensor information. 
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1 Introduction 


Reliable and autonomous operation of many complex en¬ 
gineering systems demands guaranteed behaviour over 
the full spectrum of operating conditions. This is the 
case with applications in avionics, automotive, trans¬ 
portation systems, dependable electronics, semiconduc¬ 
tors [14], and in general in systems where safety is critical 
and where mistakes lead to impactful economical losses. 


Within the computer sciences, verification and synthesis 
of critical hardware and software has been attained in the 
industrial practice by tools and techniques from the do¬ 
main of formal methods [4]. Employing well-structured 
specifications, such as properties expressed over linear¬ 
time temporal logics (LTL), automated and computer- 
aided tools have been developed for the verification and 
synthesis of models of the systems of interest. To meet 
new demands from domains dealing with complex new 
applications, these methods need to be extended to be 
applicable on models of (cyber-)physical systems. Re¬ 
cent research [13,12,10] pursues this overall objective via 
the verification of models (of physical systems) with un¬ 
countable state spaces: of special interest is the safe-by- 
construction automatic synthesis of controllers. These 
correct-by-design controllers are however incompatible 
with general systems for which models with exact knowl¬ 
edge of the dynamics and full state measurements are 
not available. 


Contributions 

In this work we extend correct-by-design controllers for 
linear time invariant (LTI) models as in [13] to output- 
based controllers that employ sensor outputs or partial 
state measurements. As in [13], our new control archi¬ 
tectures come with quantitative certificates on the ac¬ 
curacy. Further, since dynamics of physical systems are 
often disturbed in a probabilistic sense and associated 
sensors are noisy, we require the new output-based con¬ 
trollers to show quantifiable robustness with respect to 
stochastic disturbances on state evolutions and output 
measurement s. 

Related work 

Design methods for classical optimal control problems 
[5] of models with (noisy) ontput measurements can be 
distinguished in direct designs based on the input-output 
behaviour of the system, and in methods exploiting the 
separation of estimation and control. The former class 
includes frequency-domain and robust control methods; 
alternatively, whenever applicable (as in the optimal lin¬ 
ear quadratic Gaussian problem) the separation theorem 
[15] allows for the distinct design of an observer estimat¬ 
ing the state and of a state feedback controller, yielding 
a combined output feedback controller. 

Within the formal methods literature, limited efforts 
have targeted the synthesis of controllers for finite state 
models without state observations. Existing results 
target finite-state models: [7] studies the synthesis for 
partially observable models by searching the space of 
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output-feedback controllers via counter-example-guided 
refinements. A heuristic algorithm in [3] finds controllers 
satisfying LTL properties almost surely over partially- 
observable Markov decision processes. In contrast, the 
work of [17] extends PCTL* to target hidden Markov 
models and proposes a model checking algorithm. 

For fully observable Markov Processes with general state 
spaces, verification and controller synthesis problems are 
reviewed in [1], and generally tackled over a simplified 
model that can be formally related to the original one. 
The simplified model can then shown to be in an (ap¬ 
proximate) relation with the original model, either via 
metrics defined over the marginals of the conditional ker¬ 
nels [11], or via metrics bounding the distance between 
the output trajectories [9]. In contrast, this work will 
use the definition of approximate bisimulation relations, 
similar to those in [16], to quantify the expected deviation 
of noisy trajectories affected by stochastic disturbances. 

Structure of the article 

After reviewing preliminary notions in Sec. 2, the prob¬ 
lem statement together with state-based, correct-by- 
design controller architectures [13,12] is given in Sec. 
3. We design an output-based controller by introducing 
a state observer and a notion of output-based inter¬ 
face in Section 4. Under very standard controllability 
and observability conditions on the model, this design 
allows us to bound the deviation between state-based 
and output-based controllers (cf. Sec 5). Additionally 
Section 6 discusses robustness issues with respect to 
stochastic disturbances, both on state transitions and 
sensor measurements. Finally in Section 7 the design 
methodology is evaluated on a case study in the area of 
Smart Buildings. 

2 Preliminaries 

2.1 Transition systems and simulation relations 

Definition 1 (Transition system [12]) A transition 
system is a tuple E = (A, Aq, A, — Z, TL), where 

• X is a (possibly infinite) set of states; 

• Xq is a (possibly infinite) set of initial states; 

• A is a (possibly infinite) set of actions; 

• A X A X X is a transition relation; 

• Z is a (possibly infinite) set of observations; 

• H : X ^ Z is a map assigning to each x € X an 
observation Hix) G Z. 

A metric transition system is a transition system en¬ 
dowed with a metric over the observation space Z. □ 

This work considers non-blocking transition systems, 
where every state a; G A is associated to a non empty 


transition relation. The behaviour generated by S 
is denoted as .8(S) and consists of all infinite se¬ 
quences zq, Zi, Z 2 , ■■■ for which there exists an initialised 
path (^ 0 ,^ 0 ), (a;!,^!), (^ 2 ,^ 2 ),..., with xq G Aq, 
{xi,Ui,Xi+i) G— )■, and Zi = Hixi) for all i G N. 

A transition system is called deterministie if the initial 
state is defined deterministically, i.e., Aq := {xq}, and 
for a given state-action pair the next state is determined 
uniquely. 

The verification of LTI models can be attained by ab¬ 
stracting them as finite-state ones and leveraging sym¬ 
bolic approaches [12]. Pairs of models can be related as 
follows. 

Definition 2 (Simulation relation [12]) 

Let Eq — (Aq, Aqq, Aai ^a, Zd^ LLa) and 
Ef, = {Xb, XbQ, Ab,^b, ZbjTLb) be transition systems 
with the same output sets Za = Zb- A binary relation 
TZ C Xa X Xb is said to be a simulation relation from E^ 
to Ef, if the following three eonditions are satisfied: 

(1) for every Xao € A^, there exists Xbo G X with 
(XaOi ^bo) G 77., 

(2) for every {xa,Xb) G 77 we have TLa^Xa) = LLbixb); 

(3) for every (xa, Xb) G TZ we have thatXa—^axA in E^ 
implies the existence of Xb-^tXb 'in Ef, satisfying 
(Xa'jXb) G TZ. 

We say that E^ is simulated by Zb, or that Zb simulates 
Za, denoted as Za ^5 Ef,, if there exists a simulation re¬ 
lation from Ea to Zb- The transition systems Za and Zb 
are simulation equivalent, E^, Ef, iff E^, ^5 Ef, and 
Zb ^5 Za- The models Za andZb are bisimilar, i.e., E^, 
Ef,, if there exists relation TZ that is a simulation re¬ 
lation from Za to Zb and for which TZ~^ is also a simu¬ 
lation relation from Zb toZa. □ 

Note that this similarity relation over the set of transi¬ 
tion system implies a relation over the behaviour of the 
transition systems [12], more precisely if E^ diS Zb then 
B{Za) C B{Zb), and if E, -g E^ then B{Za) = B{Zb). 

Approximate versions of simulation relations allow for a 
more robust interpretation and can be considered over 
metric transition systems [12] . Consider two given met¬ 
ric transition systems with a shared output space Z and 
a metric d then an ^-approximate simulation relation 
The relation 77 C Aa x Af, is defined as follows (c.f. [12]). 

Definition 3 (Approximate Simulation Relation) 

Let Za — (Xa, XaQ, Aa, ^a, Za, T~La) 
and Ef, = (Af,, Af,Q, Af,, —)■&, Zf,, 77f,) be transition sys¬ 
tems with the same output spaee Za = Zb with metric 
d. For £ G K"*", a relation TZ C Xa x Xb is said to be an 
£-approximate simulation relation from Xa to Xb if the 
following three conditions are satisfied: 
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(1) for every Xao € ^aO) there exists Xbo € Xbo with 

{xao,XbQ) G R; 

(2) for every (xa,Xb) G 7Z we have A{'Ha{xa) — 
Rb{xb)) < £■ 

(3) for every (xa, Xb) GTZ we have thatXa-^aXa in Sa 
implies the existence of Xb-^bXb in Sf, satisfying 
(XajXb) e 7^. 

We say that is approximately simulated by Yib, or 
that Eb approximately simulates Ha, denoted by 
Ef,; if there exists an e-approximate simulation relation 
from Ea to E^ . The models Ha and Ef, are approximately 
bisimilar, i.e., Ea Ef,, iff there exists a relation TZ 
that is an e-approximate simulation relation from Ea to 
Ef, and for which TZ~^ is an e-approximate simulation 
relation from Ef, to Ha ■ 

2.2 Formal specifications and control design 

Let us consider a specification of interest f for which the 
desired behaviour is represented by a transition system 
E^ [12]. Then a control synthesis problem for E can 
be formulated as the search of a controller C such that 
the controlled transition system, i.e., C x E satisfies the 
specification, namely (a.) if C x E ^5 E^ or (b.) if C x 
E E,^. The notation C x E refers to the composition 
of the controller C with model E: the actions of the 
obtained transition system are defined by the controller 
C, whereas the internal state of C is updated based on 
information available from E. 

If Ea and Ef, are deterministic transition systems and 
Sa dis '^b, then for every sequence of actions for Ea, 
there exists a corresponding sequence for Ef, such that 
the observed behaviour is the same [6]. Definition 2 sug¬ 
gests the refinement of a controller for Ea to Ef, via con¬ 
dition 3): for ever choice of Ua, picked by the controller 
for Ea, there exists a suitable input Ub- In practice this 
allows synthesis problems to be first solved on a simpli¬ 
fied, and possibly finite, abstraction (Ea), before refine¬ 
ment over a concrete, complex model (Ef,). 

3 Problem statement 

We intend to synthesise a certifiable output-based con¬ 
troller for a physical system represented by the LTI 
model 

{ xft -I- 1) = Axft) -\- Bu{t) 
y{t) = Cx{t) (1) 

z{t) = Hx{t), 

where x{t) G K” is the state, initialised by a;(0) G Xq C 
M”, the control input is u(t) G K™, and y{t) G 
is the measured output available for control. A,B,C 


are real matrices of appropriate dimensions. The signals 
z{t) G M'^, mapped from the state space via the linear 
map Hx, are used to define performance and properties. 
This in unlike [17], which defines specifications over the 
signals y{t). In contrast to the measured output y{t), the 
structure of which is physically specified by the sensors 
attached to the system, the choice of H can be adapted 
to the design requirements, and include H = C and 
id = / as special cases. 

The LTI model M can be reinterpreted as a transition 
system characterised by a tuple (M”, Xq, M™, —)■, id), 
with a state space x G M", a set of initial states x(0) G 
Xq, and transitions —>■:= {x,u,x'\x' = Ax -{- Bu}. Ad¬ 
ditionally, H assigns observation 2 € IR* to a; G IR": 
z = Tlx. Note that this transition system has uniquely 
defined transitions, since for every state-action pair there 
is a unique state transition. 

3.1 State-of-the-art correct-by-design controller syn¬ 
thesis 

Suppose that an LTI model x{t -I- 1) = Ax{t) -\- Bu{t) 
is given, and that it has a finite-valued observation map 
that induces a partition over the observation space IR”^. 
Under assumptions on the controllability of the model, 
on the linear independence of the columns of its input 
matrix B, and on the observation map [13,12], the LTI 
model can be bisimulated by a finite transition system. 
Alternatively, under less stringent conditions it is possi¬ 
ble to synthesise a finite approximate bisimulation of the 
given model [12,10]: further, for every controller synthe¬ 
sised on the finite-state abstraction there exists a refined 
controller for the original model, with the same closed- 
loop behaviour. 

In the remainder of this work we assume that given a 
model M and a model E,/, for the specification, both 
with the same output space, we have obtained a con¬ 
trolled model Me, which is such that Me H^ [12]. 
Me := C X M denotes the composition of model M 
with the correct-by-design controller C, where C takes 
as input the state of M and returns an action to M. This 
controlled model has hybrid states (x, q) with x G IR" 
and q G Q, where Q is a finite set. Its dynamics are de¬ 
fined as 

i Ht + ^) = Ax{t) + Buq{x{t)) 

1 q(tG-l) = 6{x(t),q{t)), 

and initialised by (x(0),g(0)) G UqoeQo x Xo(g)). 
Let us remark that the discrete states of this model fol¬ 
low from the states of a finite transition system, approx¬ 
imately bisimilar to the continuous-state model M, and 
from the discrete states of the specification model E,^. 
Hence the discrete state q is initialised based on the spec¬ 
ification model E,^ and the initial state a;(0). Note that 
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Uq(x(t)) is a function that maps the current state to an 
action. 

3.2 Problem statement 

Suppose that there exists a state-based, correct-by- 
design controller for a fully-observed LTI model, with 
closed-loop dynamics denoted by Me as in (2). The 
objective of this work is to design an output-based 
controller, a controller that only requires the measured 
signal y{t) and that can therefore be deployed on the 
model in (1). Additionally, it is required that the new 
controller guarantees an upper-bound on the deviation 
from the state-based control in (2). 

In the following we use the notion of interface function. 
Interface functions originate from the work in [6] on hi¬ 
erarchical control design based on (approximate) sim¬ 
ulation relations: the construction of a controller over 
a simplified model is refined to a concrete model while 
maintaining the same guarantees over the controlled be¬ 
haviour. 

Definition 4 (Interface function ) 

Let Xjq — (Ajj, AjjQ, Aa, ^a, LLa) and 
Sf, = (A),, Af,Q, At,, —Zf,, Hf,) be deterministic transi¬ 
tion systems with the same output sets Za = Zb. A re¬ 
lation TZ C Xa X 2Lb is an e-approximate simulation re¬ 
lation from Xa to Xb, and T : Aa x A), x A), —)■ At, 
is its related interface, if the following three conditions 
are satisfied: (1) for every Xao € Xao, there exists Xbo € 
A’t,o with {xao,Xbo) € TZ; (2) for every (xa,Xb) € 7Z, 
d ('Ha(xa) - 'Hb(xb)) < s; (3) for every {xa,Xb) & TZ we 
have that Xa-^axJ in implies Xb-^bXb in St, with 
Ub = P{ua,Xa,Xb), Satisfying (x'g^,x'f,) € TZ. The feedback 
composition ofZa and St, is denoted as T,a Xjr J^b- ^ 

Note that the existence of an (approximate) simulation 
relation implies the existence of an interface, i.e., for all 
^-approximately simulated and deterministic transition 
systems there exists at least one interface function. 

In practice Definition 4 entails that the dynamics cor¬ 
responding to the feedback-composed models S^, XjrZb 
do not differ more than e. Hence, a controller composed 
on Sa can be refined to S^ via the interface P, without 
affecting its closed-loop accuracy more than £. 

Let us define a specific class of interfaces denoted as 
sensor-based interfaces, which are defined exclusively 
based on sensor information from namely Pg : Aa x 
Xa X g{Xb) —> Ah, where g is the sensor function. In 
the particular instance of (1), the sensor function is 
g{x{t)) := Cx{t). These structures are of interest to us, 
as they define the set of interfaces that can be practi¬ 
cally implemented for controller refinement on partially 
observable systems. 



Fig. 1. Interconnection model/observer, M||0(M) 

4 Observer-based correct-by-design controller 
synthesis 

In this section we propose a new design methodology 
for output-based controller refinement. We first design 
an observer that extends the sensors output with state 
estimates, see Fig. 1. Then as in Fig. 2 we define a lin¬ 
ear, sensor-based interface function between Me (the 
state-based, correct-by-design controlled model) and the 
model/observer interconnection from Fig. I. 

4.1 Observer-based design 

Consider a Luenberger observer denoted as O: 

x{t -I- 1) = Ax{t) -\- Bu{t) + L {y{t) - y{t)) , (3) 

y[f) = Cx{t), 

with gain matrix L such that A — LC is stable if (A, C) 
is detectable [5]. The observer is initialised as a:(0), and 
uses the outputs from M to estimate its internal state. 
The composition of M with its observer 0(M) is denoted 
as M||0(M) and portrayed in Fig. 1. 

Denote the sensor-based interface as 

Pg{u,x,x) = u + K{x — x), (4) 

where u is the action selected by Me (this role is played 
by Uq in (2)). For this linear interface we demand that 
matrix A — BK is stable. Note that the interface is 
sensor-based (as defined in Section 2), since the state es¬ 
timate X oi X can be obtained from the sensor function 
of M||0(M), thus g{x, x) = x. 

The overall controlled model Me x^^ (M||0(M)), de¬ 
noted as Me, is the result of interfacing the two struc¬ 
tures discussed above, as depicted in Fig. 2. This has dy¬ 
namics evolving over the continuous state space as: 

x{t -I- I) = Ax{f) + BUq{x{t)) 

x{t -I-1) = (A — LC)x{t) + Bu{t) -\- LCxft) 

( 5 ) 

x{t -I-1) = Ax{t) + Bu{t) 

u{t) = Pg{Uq{x{f)),x{t),x{f)) 

in combination with the discrete transitions q{t -I- 1) = 
5{x{t),q(t)) from (2). 
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Proof The relation 


Remark 1 As depicted in Fig. 2, we have designed an 
output-based controller by combining a given state-based 
controller with an observer. However, unlike classical re¬ 
sults where a state-based controller is employed over es¬ 
timated states from an observer, in this work we have 
interfaced the state-based controlled model Me with the 
model/observer interconnection IsAWOfM.), as in Fig. 1. 
This allows one to reason explicitly about the accuracy 
of the overall output-controlled system, based on the ac¬ 
curacy of the sensor-based interface function. In special 
cases the proposed architecture can reduce to the classical 
approach. □ 


Fig. 2. Observer-based correct-by-design controller synthesis. 
The overall interconnection is denoted as Me. 


5 Quantification of the overall accuracy 

The controlled model Me, with traces x{t) as in ( 2 )- 
(5), maps to the specification space as z{f) = Hx{t). 
Let a metric over this space be defined as || • || 2 . Of 
interest is the distance between the system output z{f) 
as in ( 1 ) and z{f), when the system is controlled via 
the interconnection of Fig. 2. From the definition of the 
sensor-based interface, the following result holds. 

Theorem 5 The function in (4) is a sensor-based inter¬ 
face betweenMc on(iM||0(M) with precision e, where 

e :=ytrace ([h h]Q[h nf) (6) 

-Q^o. ( 8 ) 

Thus the distance between z{t) and z{t) is bounded by 
£ if there exists a Q for which (7) and ( 8 ) are satisfied. A 
stability assumption on matrices A — BK and A — LC 
guarantees this [5]. Note that since both a;(0) and x(0) 
are included in the design space, it would not make much 
sense to select a;(0) 7 ^ x(0) for the initialisation. Hence, 
the accuracy depends on the initial states of the models 
only via a:(0) — i;(0). In case the initial state x(0) is only 
known up to a set Xq, the guarantee in Theorem 5 is 
required to hold over all a;(0) € Xq. The proof of the 
theorem is given as follows. 


and (4) are a simulation relation and interface function 
for the models Me and M||0(M), since all three con¬ 
ditions are satisfied. The first follows immediately from 
(7). The second can be shown as follows z{f) — z{t) = 
H{x(t) — x{t)) -\- H{x{t) — x{f)), 

— trace (\ H h]\ *(*)-*(*) 1 [ *(*)-$(*) 1 ^ ^ 1 ^ 

- trace y[H »J J J [h'^\j 

a x,x,x GTZ then 

\\z{t) - z{t)\\l < trace ([h h]Q ^ 

and \\z{t) — 2 (t )||2 < £• The third condition follows, sup¬ 
pose that x{t),x{t),x{t) G TZ then 

_ VA-BK LC 1 x{t)-x{t) 

;r(t+l) L 0 A—LC J x{t)—x{t) 

thus x{t -\-1 ), x{t -b 1), x{t -b 1) € 77 if 

\A-BK LC LC A D 

[ 0 A-LC\'^l 0 A-LC\ 

which holds due to ( 8 ). □ 


6 Stochastic disturbances: robustness 

We extend the previous results supposing that the phys¬ 
ical system M is disturbed by stochastic noise. More 
precisely, state transitions are affected by additive noise 
wi(t) with realisations wi{t) ~ wi(t) taking values in 
, whereas sensor measurements are disturbed by 
noise sources W 2 ( 7 ), with realisations W 2 {t) ~ W 2 ( 7 ) 
in (We denote random variables x as bold faced, 
in contrast to their realisations x ~ x.) Each of the 
noise sources is supposed to be independent and iden¬ 
tically distributed over time, with zero mean and unit 
variance. This assumption holds for a typical Gaussian 
process noise with distribution wi{t) ~ Af {0, Id^xcii)- 
The resulting stochastic model is 

{ x{t -b 1) = Axft) -b Bu{t) -b Fwi{t) 
y{t) = Cx{f) -b Ew 2 {t) (9) 

z{t) = Exit), 

where the matrices F, E, are again real-valued matrices 
of appropriate dimensions. The model is initialised as 
x(0) Af{xo,Po). 

With reference to the previous section, the control design 
strategy is as follows: 



State-b^ed controlled 

model Me, as in (2) 


Sensor-based interface, as in 

w_ 

Model M of the system in¬ 
terconnected with a Luen- 
berger observer 0{M), as in 

(3) 
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(a) Simulation outcomes for controlled models: Me denotes state-based 
control of the noiseless model realisation ([10]); Me is the output-based 
control of the Gaussian process model (15); Feedforward denotes feedforward 
design using Me- 


(b) (Upper plot) Error in state estima¬ 
tion for Me; (Lower plot) Deviation 
from mean ambient temperature. 


Fig. 3. Case study in smart buildings 


A. Let M be a noiseless version of M in (9), and Me 
be the composition of M with its correct-by-design 
controller; 

B. Design a state observer 0(M) for M; 

C. Design a linear interface function Tg stabilising 
A-BK- 

D. Implement the control structure in Fig. 2, and denote 
the resulting controlled stochastic model as Me := 
Me (M||0(M)). 

The initial conditions for Me, namely a;(0),i(0), 
are selected as part of the control design prob¬ 
lem: as discussed earlier, we pick a;( 0 ) = i( 0 ). 
Further, let < 7 ( 0 ) be any discrete state such that 
(x(o),q(o)) e UqoGQo ^ Xo(g))- 

In order to analyse the behaviour of the controlled 
stochastic model Me with respect to a metric of in¬ 
terest, let us embed Me into the formalism of deter¬ 
ministic transition systems (cf. Definition 1) as in [16]. 
The model can be represented as a symbolic transi¬ 
tion system E*(Me), with states encompassing ran¬ 
dom variables xe(t) representing the distribution of 
^c(i) ~ xe(t), with xc(i) G as in (5). Consider 
the metric output space 2 , to which the states are 
mapped as zc(t) = Further consider the met¬ 

ric d*(zi — Z2) = E(||zi — Z2II2), with II • II2 the Euclidean 
norm. Denote the set of all transition systems with the 
metric output space Z as T*. 

Both the specification model and the correct-by- 
design controlled model Me can be trivially embed¬ 
ded in 7** via singleton distributions: we denote the 
corresponding symbolic transition systems as E]), and 
E*(Mc), respectively. We obtain: 


Theorem 6 Transition system E*(Mc) is approxi¬ 
mately bisimulated by E*(Mc) with precision e obtained 
as 


£ := y^trace([ff h]Q[h h^) 
with 


0 0 

0 (ajQ —s(0))(a:o —®(0))’ 


+ [ 0 Po ] “ Q - 0 


A-BK 


'A-BK LC 


0 A-Lc]*3[" 0 A-LCJ 

-lee'^l'^ ff'^+lee'^l'^ 


-QAO- 


( 10 ) 

( 11 ) 

( 12 ) 


As a consequenc^^ of Theorem 6 it follows that 
if E*(Mc) As S;, then E*(Mc) A| and if 
E*(Mc) E^, then E*(Mc) E^. Finally note 
that (12) is known to admit positive matrices Q for 
which e is finite if A — BK and A — LC are both stable 
matrices [5]. 

Proof The composition of Me with M||0(M) over 
the interface (4) gives the continuous dynamics of as 
E*(Mc) 

x(t -I- 1) = Ax{t) + BUq{x{t)) 

x(t -|- 1) = {A — LC)x{t) + Bu{t) LCx{t) + TAw(t) 

x(t -|- 1) = Ax(t) -f Bu{t) Fw{t) 

u{t) = u,j(x(t))-I-Ar(x(t) - x(t)) 


^ Note that we have trivially assumed that this (bi-) sim¬ 
ulation relation between the transition system E(Mc) and 
E,/, is maintained when embedding them in T* via Dirac 
distributions [16]. 
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with output z{t) = Hx{t). Consider the relation TZ de¬ 
fined as 

■= {((q',x ),(q,x,x,x)) I x' = x,q' = q, 

AE [[(x - x)^ (x - x)^]^[(x - x)^ (x - x)^]] A g} 

where x' is the continuous state of S*(Mc) and xc := 
[x^ ftie continuous state of E*(Mc)- The out¬ 

puts z' and z are similarly defined. For future refer¬ 
ence note that applying the congruence transform with 
Ax(f) = x(t) — x(f) and e{t) = x(f) — x(f) gives : 


_ A-BK LC 
~ . 0 A-LC 


r (x(t)-x(i)) 

(x(t)-x(t)) 

T' 

!_ (x(t)-x(i)) _ 

. (x(t)-x(t)) _ 



X 


A-BK LC 
0 A-LC. 


LEE'^L'^ -LEE'^L'^ 

-lee'^l'^ ff'^+lee'^l'^ 


A Q 


because (12) holds. Therefore every transition of Me 
can be mimicked by Me. The proof that every transition 
in Me has an equivalent transition in Me goes along 
the same lines. □ 


6.1 Selection of the matrix gains L and K 


x(f-l-l) = A5i{t) + Buq{5i{t)) 

Ax(t + 1) = {A- BK)A^{t) + LCe{t) + LEyv{t) 
eft -1-1) = {A — LC)e{f) + {F — LE)w{t) 

z{t) = H5t{t) + H Ax{t) + Efeft). 


Firstly condition 1) for an approximate bisimula¬ 
tion holds : x'(0) = x(0), x(0) — x(0) = 0 and 

= (xn - x(0))(a:o - 


E 


(x(0 )-x(0 ))(x(0 )-x(0))^ 


i(0))^ + Po- Therefore based on (11) it follows that the 
first condition holds. Secondly for all ((q',x'), (q, x, x, x)) e 
TZ : the metric E [||z' — z|| 2 ] can be written as 


E [\\H5t' - Hx\\ 2 ] < ^E[{H5i' - H^)T{H±' - Ffx)] 
= trace E [H (x' — x) (x' — x)'^E['^]. 


Note that (x' — x) = ((x' — x) — (x — x) — (x — x)), and 
x' — X = 0 (due to the relation TZ), then the metric is 
bounded from above by 


trace 



(i-x) 

(x-x) 


(x-x) 

(x-x) 


H'^ 

H'^ 


1 

2 


Thus far we have assumed that L and K are chosen so 
that they stabilise A — LC and A — BK. It is known 
that, as long as the model is detectable and stabilisable, 
these gains exist [5]. A constructive approach to obtain 
L,K in a semi-optimal manner follows from Theorem 
6 . Omitting the initialisation, the computation of the 
precision level defined in (10) together with (12) for given 
L and K is equivalent to e = limt_>oo v^E|| Az(t )||2 for 

Aa;(f -b 1) = [ ] Aa;(f) (13) 

U)i(t) 

Az{t) = Hx{t), (14) 

for given white noise sequences wi ft ), W 2 ft) ■ As such 
the optimisation problem leading to L and K has been 
recast in the familiar LQG stochastic control problem 
[15] for which it is known that the optimal observer 
gain L and the optimal state-feedback gain K can 
be computed separately. The optimal observer gain 
with respect to the LQG problem is the Kalman fil¬ 
ter gain, L* = (APC^) {CPC^ + EE'^y^ s.t. P = 
APA^ - {APCyiCPC'^ + EEy-^iCPAy + FF^. 

On the other hand, the optimal state-feedback gain 
K solves a quadratic control problem, that is K* = 
{B^SB)-^B^SA s.t. 


-b ] 


0 LE 1 
F -LE. 


< trace 



H'^ 


1 

2 


For the third condition we have to prove invariance of TZ. 
More specifically if ((q'(t), x'(t)), (q(f), x(f), x(f), x(f))) e 
TZ than for every transitions of Me: (q'(f),x'(f)) —)■ 
(q'(f -b l),x'(t -b 1)) there exists a transient in Me for 
which ((q'(t -b l),x'(t -b l)),(q(t -b l),x(t -b l),x(t -b 
l),x(f + l))) G7^. 

Since Me is composed of Me ^Fg (M||0(M)) we know 
that for every transition (q'(<), x'(f)) —> (q'(t-bl), x'(t-b 
1 )) in Me there is an equivalent transition (q(t), x(t)) —> 
(q(f -b l),x(t -b 1)) in Me. And the congruence trans¬ 
formed dynamics are such that 


S = A^SA - A^SB{B'^SB)-^B^SA + H^H. 


In the next case study this will be computed via the 
generalised eigenproblem algorithm [2] implemented 
in MATLAB. Note that since there is no trade-off be¬ 
tween the state error and the magnitude of the control 
gain, the state feedback gain will push the control to 
deadbeat control [5]: this behaviour can be easily reme¬ 
died by extending the observation space H with Dh, 
such that the extended performance signal becomes 

r iT 


Ze{t)= Z^{t) zff{t) 


equivalently with Zu ft) 


, with Zuft) 
= Dh {uft) - 


= DnKxff), 
uft)). 


or 


7 Case study in Smart Buildings 


r (x(t+l)-x(i-|-l)) 

(x(t-|-l)-x(t+l)) 

T' 

(x(t+l)-x(i-|-l)) 

(x(t-|-l)-x(t+l)) 



We are interested in the advanced energy management 
of an office building. As a motivation for output-based 
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controllers, consider a building that is divided in two con¬ 
nected zones, each with a radiator regulating the heat 
in each zone via the controlled boiler water temperature 
[8]. Due to a sensor fault in the second zone, only the 
temperature in the first zone and the ambient (outside) 
temperatures are measured. The temperature fluctua¬ 
tions in the two zones and the ambient temperature are 
modelled via M as [8] 

x{t -I- 1) = Ex{t) + Tu{t) + Fwi{t) (15) 

y{t) = [iriMt)+Ew,{t), z(t) = [ioo]^(i)^ 

(16) 

with stable dynamics 


'0.8725 0.0625 0.0375' 


'0.0650 

0 

0.0625 0.8775 0.0250 

, r = 

0 

0.0600 

1 0 0 0.9900 J 


L 0 

0 J 


where xi, 2 (t) are the temperatures in zone 1 and 2, re¬ 
spectively; X 3 {t) is the deviation of the ambient temper¬ 
ature from its mean; and u{t) G is the control in¬ 
put. Note that since S is stable, it follows that (S,r) is 
stabilisable and (S, [J ^J) is detectable. The state vari¬ 
ables are initiated as a:(0) = [16 14 —5]^. The constants 
in matrix S are selected to represent the heat exchange 
rate between the individual zones and the heat loss rate 
of each zone to the ambient; those in T represent the 
rate of heat supplied by the radiators to the two zones, 
respectively. The disturbances are modelled as indepen¬ 
dent and identically distributed standard normal distri¬ 
butions rescaled by 


F = 


■ .05 -.02 0 ■ 
-.02 .05 0 

L 0 0 O.lJ 


andE=[fo,]. 


The upper block in F represents random heat transfers, 
caused for example by people moving within and be¬ 
tween zones, whereas the lower, right-diagonal element 
represents the stochastic nature of the fluctuation in the 
outside temperature. The values in E define the standard 
deviation of the additive disturbance on the tempera¬ 
ture sensors in the first zone and in the ambient. y{t) is 
the stochastic signal that can be measured, whereas the 
specification is defined over z{t) (zone temperatures). 


The objective is to design an output-based, correct-by- 
design controller, such that the temperature trajecto¬ 
ries z{t) = {xi{t),X 2 {t)) eventually both take values in 
the interval [20.5, 21]^, and remain within this inter¬ 
val thereafter p] The controller is initialised with a;(0) = 
[16 16 0]^: this deviation from a:(0) is selected to model 
a realistic situation occurring after a sensor failure in 
zone 2 is discovered. 


Table 1 

Error Bounds - Accuracy of the controlled systems based 
on the interface. An initialisation is given by for the 
perfect initialisation, or for t —>■ oo the system the accuracy 
is given as Sao- The estimates Exo.ioo orid Soo are computed 
as ^Ei,ioolP(t)-z(t)lli and ^EjQ2,4,<io3lb(t)-z(t)lli respectively, 
with the empirical mean computed as 



SxQ 

^ OO 

£xo,100 


Me M 

3.9618 

0.4890 

1.9961 

0.4845 

Me 

2.1194 

0.1284 

0.5184 

0.1240 


We synthesise Me by PESSOA [10], where the discrete¬ 
time dynamics are further discretised over state and ac¬ 
tion spaces: we have selected a state quantisation of .05 
over the range [15, 25]^, and an input quantisation of .05 
over [10, 30]^. Fig. 3a displays (continuous blue line) the 
state _trajectory of the obtained correct-by-design sys¬ 
tem Me: it can be observed that the controller regulates 
the model to eventually remain within the target region. 


Next, we are interested in extending the designed con¬ 
troller to the concrete (noisy) model of the system based 
on noisy output measurements of the first zone and of the 
ambient. As a first attempt we implement the controller 
based on a feedforward architecture, where Fff := u(t). 
This is what we would obtain applying the results in 
[16]. It can be observed in Fig. 3a (circled red realisa¬ 
tion) that a trajectory {xi{t),X 2 {t)) in Me M de¬ 
viates substantially from the desired temperature range. 
In Table 1 the accuracy of this feedforward interface is 
given. As a second design, we implement the structure 
in Fig. 2, where the gains K, L, as detailed in Subsection 
6.1, are selected as the optimal LQ and Kalman gains, 
respectively. The resulting design values are 


L = 


r 0.5201 0.03331 
-0.2239 0.0262 
. 0.0022 0.8196. 


and K = 


[ 13.4231 0.9615 0.57691 
[ 1.0417 14.6250 0.4167 J' 


A trajectory (crossed grey line in Fig. 3a) realised from 
Me = Me (M||0(M)) and based on the previous 
noise realisation ends up close to the desired temperature 
range. This substantial improvement with respect to the 
feedforward interface is also quantified in Table 1. Fig. 
3b displays the error of the state estimation x{t) — x{t) of 
Me (upper plot): it can be observed that the estimated 
state converges to the exact state. The lower plot in Fig. 
3b provides a simulation of the deviation of the ambient 
temperature from its mean. 


8 Conclusions and future work 


The dynamics of the noiseless model M are solely gov¬ 
erned over the first two states, where the correct-by- 
design controller for the given specification is designed. 


^ This property can be formally expressed as an “eventually 
always” specification in LTL. 


In this work we have shown that correct-by-design con¬ 
trollers can be extended to work on stochastic partially- 
observable LTI systems, as long as the LTI system is de¬ 
tectable and stabilisable. Future work will concern ex¬ 
tensions to non-linear dynamics and the development of 
tailored notions of probabilistic approximations. 
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